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INTEGRITY * EFFICIENCY ★ ACCOUNTABILITY * EXCELLENCE 


Mission 

Our mission is to provide independent, relevant, and timely oversight 
of the Department of Defense that supports the warfighter; promotes 
accountability, integrity, and efficiency; advises the Secretary of 
Defense and Congress; and informs the public. 

Vision 

Our vision is to be a model oversight organization in the 
Federal Government by leading change, speaking truth, 
and promoting excellence—a diverse organization, 
working together as one professional team, recognized 
as leaders in our field. 
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(U) Resul 


13526 


1(b)(7)(E) 


1(b)(7)(E) 


1(b) (1), EO 13526, sec. 1.4(g) 


£&») Army commands' 


Specifically, 


among other findings, the Army 


Additionally, the! 


(U ) 1 SIPRNet access points are ail possible physical or 
logical connections where a user can access 
the network. 


(U ) 2 Logical security refers to system-based mechanisms {such as firewalls, permission settings, 
and usernames and passwords) that designate who or what has access to a specific system 
or function. 


Visit us at www.dodig.mil 
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(U) Army Comrr 
Security Safegu . 


1(b) (7)(E) 


1(b)(7)(E) 


ensure required security-related training 


[rQUQ) Commander, 7th Signal 
Command (Theater), review 
whether-subordinate commands 
implemented 9|ffi||BBHHI 


is taken; 


(TOUO) Division Chief, Army Spectrum Management Office, 
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(U) Results in 


!b) (7)(E) 


(b)(7)(E) 


(U) Recommendations (cant'd) 


(U) The Army Chief Information Officer; 


fl>) (7)(E> 


(U) Management 
Comments and 
Our Response 

(U) Based on management comments, 
we added the Commander, Army Cyber 
Command and Second Army, to eight 
recommendations; the Commander, 

7th Signal Command (Theater), to three 
recommendations; and the Division Chief, 
Army Spectrum Management Office, to 
two recommendations. We also removed 
the Commander, 7th Signal Command, from 
one recommendation and the Commander, 
TJ.S. Army Electronic Proving Ground from 
two recommendations. 


(U) recommendations and, therefore, no further comments are required. 
Comments from the Commander, 7th Signal Command (Theater), did not 
address the recommendation to ensure required training is taken before 
SIPRNet access and to maintain training records. 

|, responding for the Program 
| did not address the recommendation to develop and 

j. We 

request that the Commander and the Program Director provide 
additional comments on the final report. 

(U) The Commander, Network Enterprise and Technology Command; 


m^ilH did not provide comments on a draft of this report. We request 
that the Commander, Directors, and Staff Judge Advocate provide 
comments on the final report. 

(U) The Commander, Army Cyber Command and Second Army; and 
the Deputy Commanding General, Installation Management Command, 
provided unsolicited comments that addressed the specifics of the 
recommendations. The Division Chief, Army Spectrum Management 
Office, also provided unsolicited comments, but the comments did not 
address the recommendation to 


. yve request that the Division Chief, 
Army Spectrum Management Office, provide additional comments on 
this recommendations. Please see the Recommendations Table on the 


next page. 
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(U) Recommendations Table 


Commander, Network Enterprise 

Technology Command 

Recommendations 
Requiring Comment 

No Additional 
Comments Required 

Commander, 7th Signal Command (Theater) 

A.3,a, A.3.b 

A.4 

(b)(7)(E) 

A.8.a 

A.8.b, A.8.C 


B.3.a, B.3.b, B.4.a, B.4.b, 
B.4.C 



A.5.a, A.5.b, B.l.a, B.l.b 

B.7 

Army Chief Information Officer 


A.l, A.2.a, A.2.b 

(b)(7)(E) 

A.6 



B.6 


A.3.a, A.3,b, A.7.a, A.7.b, 
A.7.C, A.7.d, B.3.a, B.3.b 



B.2 

B.7 



A.3.a, A.3.b, A.9.a, A.9.b, 
A.9.C, A.9.d, A.9.e, B.2 

A. 3.a ( A.3.b, A.10, B.4.a, 

B. 4.b, B.4.C, B.5.a, 

B.5.b, B.6 



A. 5.a, A.5.b, A.ll, B.l.a, 

B. l.b 

A.3.a, A.3.b, A. 12.a, 

A.12.b, A.12.C, B.7 


Commander, Army Cyber Command and 

Secpnd Army 


A.2.a, A.2.b, A.3.a, A.3.b, 

A.7.a, A.7.b, A.7.C, and 
A.7.d 

Division Chief, Army Spectrum 

Management Office 

B.5.b 

B.5.a 

(U) 


(U) Please provide Management Comments by September 6, 2016. 
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INSPECTOR GENERAL 
DEPARTMENT OF DEFENSE 
4800 MARK CENTER DRIVE 
ALEXANDRIA, VIRGINIA 22350-1500 


August 5, 2016 


MEMORANDUM FOR AUDITOR GENERAL, DEPARTMENT OF THE ARMY 


SUBJECT: (U) Army Commands Need to Improve Logical and Physical Security Safeguards 
That Protect SIPRNet Access Points (Report No. DOD1G-2016-119) 


(S3 We are providing this report for review and comment. The Army commands 



(b)(1), EO 13526, see. 1.4(g) 


complete required training and access 
In addition, the Army 


(b)(1), EO 13526, sec. 1.4(g) 


request forms, 
commands 

We conducted this audit in 

accordance with generally accepted government auditing standards. 


(U) We considered management comments on a draft of this report when preparing the final 
report. Based on management comments, we added the Commander, Army Cyber Command 
and Second Army, to Recommendations A.2.a, A.2.b, A.3.a, A.3.b, A.7.a, A.7.b, A.7.C, and A.7.d; 
the Commander, 7th Signal Command (Theater) to Recommendations A,3.a, A.3.b, and A.4; and 
the Division Chief, Army Spectrum Management Office, to Recommendations B.S.a and B.S.b. 
We also removed the Commander, 7th Signal Command, from Recommendation A.2.a and the 
Commander, U.S. Army Electronic Proving Ground, from Recommendations B.S.a and B.S.b. 
DoD Directive 7650.03 requires that recommendations be resolved promptly. 




addressed all specifics of the recommendations. 


(U) Comments from the Commander, 7th Signal Command (Theater), did not address 
Recommendations A.3.a and A.3.b and comments from the! 



Therefore, we request the Commander and Program Director provide additional comments 
on these recommendations by September 6, 2016. 



Report No. DODIG-2016-119 |v 


SE€RB T 
















w 

did n °t P r °vide comments 

on a draft of this report. Therefore, we request that the Commander. 

provide comments on the final report by September 6, 2016. 

(U) The Commander, Army Cyber Command and Second Army; the Deputy Commanding 
General, Installation Management Command; and the Division Chief, Army Spectrum 
Management Office, provided unsolicited comments on a draft of this report. Comments 
from the Commander, Army Cyber Command and Second Army, addressed the command's 
responsibility to ensure corrective actions were taken across the Army. However, 
comments from the Division Chief, Army Spectrum Management Office, did not address 
Recommendation B.S.b. Therefore, we request additional comments on this recommendation 
by September 6, 2016. 

(U) Please provide comments that state whether you agree or disagree with the findings and 
recommendations. If you agree with our recommendations, describe what actions you have 
taken or plan to take to accomplish the recommendations and include the completion dates of 
your actions. If you disagree with the recommendations or any part of them, please give 
specific reasons why you disagree and propose alternative action if that is appropriate. 

(U) Please provide comments that conform to the requirements of DoD Instruction 7650.03. 
Classified comments must be sent electronically over the Secret Internet Protocol Router 
Network. Please send a PDF file containing your comments 

ancH^Hfl^HHim Copies of your comments must have the actual signature of 
the authorizing official for your organization. We cannot accept the /Signed/ symbol in place 
of the actual signature. Comments provided on the final report must be marked and 
portion-marked, as appropriate, in accordance with DoD Manual 5200.01. 

(U) We appreciate the courtesies extended to the staff. Please direct questions to me at 
(703) 699-7331 (DSN 499-7331). 

Carol N. Gorman 
Assistant Inspector General 
Readiness and Cyber Operations 
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Introduction 



(U) Our audit objective was to determine whether the Army effectively protected 
SECRET Internet Protocol Router Network (SIPRNet) access points. 3 Specifically, 
we reviewed the security safeguards 4 protecting SIPRNet access points at selected 
locations. This is the third in a series of audits to review the safeguards implemented 
by the Military Departments for protecting the SIPRNet. 

(U) Background 

(FOUO) The Army used a hybrid (centralized and decentralized) method to 
manage SIPRNet circuits 5 and security. The Army Network Enterprise Technology 
Command is the Army's information technology service provider. The 7th Signal 
Command (Theater) (7th SC[T]), a command subordinate to the Army Network 
Enterprise Technology Command, manages the continental United States portion of 
the Army's enterprise network, Land Warrior Network. 7th SC(T) also manages the 
regional and local Network Enterprise Centers 

The regional and local NECs work together to varying degrees 
to manage physical and logical safeguards 6 to protect the network. In addition to the 

In addition to Land Warrior Network, other Army commands manage SIPRNet 



(U ) 3 SIPRNet access points are ali possible physical or logical connections where a user can access the network. 

(U ) 4 For this report, security safeguards are information assurance controls. 

(U ) 5 Circuits are devices that transmit data between two or more points. 

(U ) 6 Physical safeguards (such as locks, guards, and security containers) deter or delay adversaries' unauthorized access to the 
network. Logical safeguards are system-based mechanisms (such as firewalls, permission settings, and usernames and 
passwords) that designate who or what has access to a specific system or function. 

Report No. DODIG-2016-119 11 












Introduction 


(U) Figure: Simplified View of Army SIPRNet Management Structure 


LANDWARNET 


Independently Managed Networks 

*(r?p resent alive o( networks selected) 




(U) Source: DoD Office of Inspector General. 

(U) We visited seven installations and reviewed physical and logical safeguards for 
SIPRNet access points at the following locations: 


(U ) 7 We visited the 


[b) (7)(E) 
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Introduction 


(U) The networks we reviewed were accredited under DoD Instruction 8510.01, 
"DoD Information Assurance Certification and Accreditation Program (DIACAP)," 
November 28, 2007. DIACAP was replaced by DoD Instruction 8510.01, 

"Risk Management Framework (RMF) for DoD Information Technology (IT)," 
March 12, 2014. However, the authorizations to operate for the networks included 
in the audit scope were issued under DIACAP. See Appendix B for a discussion on 
the transition to RMF. 


DoD Instruction 5010.40 8 requires DoD organizations to implement a 
comprehensive system of internal controls that provides reasonable assurance that 
programs are operating as intended and to evaluate the effectiveness of the controls. 


1(h)(7)(E) 




We will provide a copy of the report to the senior official responsible for internal 
controls at the Office of the Army Chief Information Officer, 



(h)(7)(E) 


(U) 8 DoD Instruction 5010.40, "Managers' Internal Control Program Procedures/' May 30, 2013. 
(U ) 9 
(U ) 1 
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£ FOUO) The Army 

Specifically: 


1(b)(1), EO 1352b. sec. 1.4(g) 






























Finding A 


* (FOUO) |_ 

did not review and verify that 

SIPRNet user access request forms were properly completed. This 
occurred because the commands did not establish and implement 
processes to verify the forms were properly completed. 


gegej l 



d ' FOUOj j_ 

~' did not ensure all personnel 

completed required security training before being granted access to the 
SIPRNet. This occurred because the commands did not establish policies 
and procedures to verify that users completed all required training 
before being granted SIPRNet access. 






(FOUO) 


[(b)(7)(E) 



the Army Network Enterprise Technology Command list of jBBj SIPRNet circuits owned 
by Army installations did not include circuits that were found on a Defense 
Information Systems Agency-managed list of Army SIPRNet circuits. In addition, the 
Army's list of ^Btl circuits included j@| circuits that were not on Defense Information 
Systems Agency's list. We determined that discrepancies existed between the two lists, 
but did not verify the accuracy and completeness of either list. 
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Finding A 


(FOUO) In addition, we discovered circuit information that was different from the 
information reported by Army Network Enterprise Technology Command and 
7thSC(T). Specifically,! 



The Army Chief Information Officer, in coordination 
with the Army Cyber Command and Second Army, should establish and implement 
procedures to I 



(U) 12 Defense Information Systems Agency, "Access Control in Support of Information Systems," Security Technical 
Implementation Guide version 2, release 3, October 29, 2010. 
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Finding A 





(U) 13 Internet Protocol addresses are identifiers that are assigned to equipment connected to the network. 


(U) 15 Report No. DODIG-2015-168, "Air Force Commands Need to Improve Logical and Physical Security Safeguards That 

Protect SIPRNet Access Points," September 3, 2015 and Report No. DoDIG-2015-046, "Navy Commands Need to Improve 
Logical and Physical Controls Protecting SIPRNET Access Points/' December 10, 2014. 
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Finding A 


(i). tO 13526. see. 1.4(g) 


Table 1 shows the length of time the 


l>) (I), tu I3526, see. 1.4(g) 


(U) Table 1. Number and Duration o 



(U) 17 For this report,^ f r ' /, / ; * ( 

(U) Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 6510.01F, "information Assurance (IA) and Support to Computer 
! Network Defense (CND)/'February 9, 2011. 

(U) 19 Army Regulation 25-2, "Information Assurance/' March 23, 2009. 
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Finding A 




utrtJj 


(b)(7)(E) 
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(U) is 3 network tool that compares audit log events to defined 

organizational rules and generates a report of reportable events. 

(U) 25 Boundary protection is monitoring and controlling communications at the external boundary of an information system to 
prevent and detect malicious and other unauthorized communications. 
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(U) System Access Forms Were Not Completed or 
Incorrectly Completed 



officials did not review and verify that SIPRNet user access 
request forms were completed as required by DoD guidance, which requires each user 
who requests SIPRNet access to complete a: 


© (U) DD Form 2875, "System Authorization Access 

Request (SAAR);" 26 and 


© (U) DD Form 2842, "Department of Defense Public Key 

Infrastructure (PKI) Certificate of Acceptance and Acknowledgement 
of Responsibilities," August 2009. 27 








(U) The IA officials did not verify completion of required forms to gain SIPRNet access. 
We performed control tests for DD Forms 2875 and 2842 to verify whether the forms 1 
were correctly completed for: 


(U) 42 personnel at 
(U) 35 personnel at 
(U) 33 personnel at 
(U) 44 personnel at 
(U) 21 personnel at 
(U) 43 personnel at 



, and 


(U) 26 DD Form 2875 documents supervisor, security manager, and IA officer approval for system access and need-to-know. It 
is required by the Defense Information Systems Agency, "Enclave" Security Technical Implementation Guide, version 4, 
release 5, August 21, 2014. 

(U) 27 DD Form 2842 is completed by users to acknowledge their responsibility to safeguard tokens and the registration official 
to verify the identity of the users who fill out the form. 
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Finding A 


(U) We identified errors in the forms reviewed, so the control test failed. See 
Appendix C for test results. Table 2 identifies the number of forms received out of 
the number requested and whether the forms were completed correctly. 


(U) Table 2. Test Results of Forms Required for SIPRNet Access 


(U) 

DD Form 2875 

DD Form 2842 


in I 


Received (out of 42) 

42 

31 

Completed Correctly 

5 

4 

Completed Incorrectly 

37 

27 

Forms Not Received 

0 

11 


(W(7)[E) | 


Received (out of 35) 

35 

32 

Completed Correctly 

26 

31 

Completed Incorrectly 

9 

1 

Forms Not Received 

0 

3 

Received (out of 33) 

jjjb)<7,,E, ; ; : m | 


Completed Correctly 

N/A 

7 

Completed Incorrectly 

N/A 

22 

Forms Not Received 

‘ (b)(7)(E) j 


Received (out of 44) 

23 

18 

Completed Correctly 

7 

18 

Completed Incorrectly 

16 

0 

Forms Not Received 

21 

26 


1(b)(7)(E) | 


Received (out of 21) 

21 

19 

Completed Correctly 

18 

8 

Completed Incorrectly 

3 

11 

Forms Not Received 

|p){7)(E^^^^^^ ■ | ; 


Received (out of 43) 

8 

11 

Completed Correctly 

0 

9 

Completed Incorrectly 

8 

2 

Forms Not Received 

35 

32 

(U) 
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Finding A 


System access forms were not completed or incorrectly completed because 
officials 

did not establish and implement effective procedures to verify 
the forms were properly completed before granting network access. In addition, the 
commands did not request copies of the DD Forms 2842 from the commands that 
previously issued SIPRNet tokens and did not implement procedures to validate 
whether the tokens were properly authorized. Since personnel movements 
in the military are frequent, the lack of procedures to verify SIPRNet token 
authorizations by prior commands may represent a systemic issue across the Army. 
The Army Chief Information Officer should develop policy and procedures to verify 
whether SIPRNet users were properly authorized to access the system when 
transferring from one command to another. 


(U) Without adequate access controls, personnel at these commands may have been 
granted access to classified information without a need to know. To ensure the 
confidentiality of the SIPRNet, a determination is needed 28 on whether a user has the 
appropriate need-to-know and authorizations to access the network. These decisions 
are documented on the DD Forms 2875 and 2842. 


should develop procedures to verify that access forms are 
properly completed before granting access to the SIPRNet. 



(b)(7)(E) 


did not ensure all personnel completed required initial and 
refresher security-related training as a condition for accessing the SIPRNet. Specifically, 
IA officials did not require users to complete initial and annual IA and security 
awareness training and did not verify that all SIPRNet users completed this training. 
Additionally, they did not require all personnel with SIPRNet access to complete a 


(U) 28 A determination of a user's need-to-know and authorization for access to SIPRNet is made by multiple personnel such as 
supervisors and security managers. 
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Finding A 


(U] NATO briefing. See Appendix D for test results. DoD guidance 29 requires all DoD 
civilians, military members, and onsite support contractors with access to classified 
information to receive annual refresher training that reinforces the policies, principles, 
and procedures covered in their initial and specialized training. The guidance also 
requires users to take IA training before being granted access to a system and 
annually thereafter. 

(U) DoD guidance 30 also requires that all DoD military and civilian personnel be 
briefed on their responsibilities for protecting NATO information. Contractors also 
have access to classified information, so they are required to receive the NATO briefing. 
Security personnel 

did not ensure that all users completed the NATO security 
briefing. Specifically, these commands did not provide documentation to support that 
allusers completed the briefing. 

fFOUO) Security personnel at^ym stated that they did not require a NATO briefing 
because and they were not aware that the 

briefing was required for all personnel with access to the SIPRNet. Instead, the security 
personnel stated that if a user required access to NATO information, provided a 

NATO briefing to that specific user. In addition, thejj^y^l information system 
security manager stated that Army policy did not specifically require NATO briefings. 
Although Army policy did not specifically require the NATO briefings, DoD policy 
requires the briefing for all civilians, military, and contractors with access to classified 
information. NATO information 

Also, NATO information is not always clearly marked. Therefore, 
SIPRNet users could potentially access NATO information, whether sent through e-mail 
or viewed online, or users may not be protecting the information as required by NATO 
standards. Table 3 identifies security training documents received out of the number 
requested and whether the training documents were properly completed. 


(U) 29 DoD Manual 5200.01, volume 3, "DoD Information Security Program: Protection of Classified Information," 

March 19, 2013, and Chairman of the Joint Chiefs of Staff Instruction 6510.01F, "Information Assurance (IA) and Support 
\ to Computer Network Defense (CND)," February 9,2011. 

(U) 30 DoD Manual 5200.01, volume 1, "DoD Information Security Program: Overview, Classification, and Declassification," 

■ February 24, 2012. 
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Finding A 


(U) Table 3. Test Results of Required Security Training 


(U) 


! 1A Training 

Security Assui 

ance Training 

NATO 

... , . • 

. ' ■ - . • . ' .. ■' V 

initial 

Annual 

(b)(7) ; 

Initial Annual 

. 

Briefing 

Received (out of 42) 

41 

42 

1 

42 

42 

Completed Correctly 

34 

42 

1 

42 

31 

Completed Incorrectly 

7 

0 

0 

0 

ill 

Forms Not Received 

1 

0 

41 

0 

0 

Received (out of 35) 

35 

(b)(7)(E) | 

23 

35 

0 

Completed Correctly 

35 

35 

23 

35 

0 

Completed Incorrectly 

0 

0 

0 

0 

0 

Forms Not Received 

0 

0 

12 

0 

35 


iSililili 

, : ■ / V; 

(b)(7)(E) 

“1 " 

| 



Received (out of 33) 

0 

33 

8 

15 

18 

Completed Correctly 

0 

33 

2 

7 

6 

Completed incorrectly 

0 

0 

6 

8 

12 

Forms Not Received 


(b)(7)(E) 

1 

1 

18 

15 

Received (out of 44) 

0 

20 

23 

7 

27 

Completed Correctly 

0 

20 

23 

7 

27 

Completed Incorrectly 

0 

0 

0 

0 

0 

Forms Not Received 

44 

24 

21 

37 

17 

i 

1 

! 


(b) ( 

[7){E) 

“1 

s.;.vv 


Received (out of 21) 

21 

21 

0 

21 

20 

Completed Correctly 

21 

21 

0 

20 

19 

Completed Incorrectly 

0 

0 

0 

1 

1 

Forms Not Received 

0 

0 

21 

0 

1 1 



' (1 

»>(7)(E) 

1 



Received (out of 43) 

0 

13 

7 

9 

11 

Completed Correctly 

0 

13 

6 

6 

5 

Completed Incorrectly 

0 

0 

1 

3 

6 

Forms Not Received 

43 

30 

36 

34 

32 

(U) 


(U) Personnel responsible for training and granting SIPRNet access al 


(b)(7)(E) 



did not 


establish policies and procedures to verify that users completed all required training 
before being granted SIPRNet access. The requirement to complete IA, security 
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(U) awareness, and NATO training ensures that users are trained on how to properly 
protect information, limiting the risk of unauthorized access to or disclosure of 
classified information. Without completing required security-related training, 
users could accidentally expose the SIPRNet to vulnerabilities or divulge sensitive 
information to personnel without a need-to-know. After notifying management of 
the problem, Security Office implemented a plan 

to complete required security-related training, however, the plan did not include 
verifying users training is complete prior to granting SIPRNet access. 

(U) The Commander, Network Enterprise and Technology Command, and the 
Commander, Army Cyber Command and Second Army, in coordination with the 
Commander, 7th 


should 

develop and implement procedures to verify personnel and contractors that request 
SIPRNet access complete initial and annual IA, security awareness, and NATO training 
as a condition for obtaining and maintaining access. In addition, the commands should 
implement a process to identify and retain records of individuals who completed the 
required training. 


J iTaI M¥*A 


a 


(FOUO) 



Therefore, the Army Chief Information Officer, in coordination with the Commander, 
Army Cyber Command and Second Army, should review the deficiencies identified in 
this report, require a thorough review of the Army SIPRNet security safeguards 
performed at each command within the Army, and apply corrective actions 
as necessary. 
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(U) Recommendations, Management Comments, 
and Our Response 

(U) Renumbered Recommendations 

(U] As a result of management comments, we renumbered draft Recommendation A.l.a 
as Recommendation A. 1, draft Recommendation A.l.b as Recommendation A.2.b, and 
draft Recommendation A.2 as Recommendation A.2.a. 

(U) Recommendation A.l 

(U) We recommend that the Army Chief Information Officer develop and 
implement policies and procedures to verify whether SECRET Internet Protocol 


Router Network 

(b) (7)(E) 




(U) Army Chief Infonnation Officer Comments 

(U] The Acting U.S. Army Cybersecurity Director, Headquarters Department of the 
Army, Chief Information Officer/G-6, responding on behalf of the Army Chief 
Information Officer, neither agreed nor disagreed, and stated that the Chief Information 
Officer would review the issue, identify policy gaps, and issue guidance to resolve the, 
issues within of the date of the final report. 

(U) Our Response 

(U) Comments from the Acting Director addressed all of the specifics of the 
recommendation and no further comments are required. However, we request a copy 
of the resulting guidance, when issued for our review and acceptance before we can 
close the recommendation. 

(U) Recommendation A.2 

f F QE FO j We recommend that the Army Chief Information Officer, in coordination 
with the Commander, Army Cyber Command and Second Army: 

a. (U) establish and implement procedures 
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b. (FOUO) review the deficiencies identified in this report, require a 
thorough review of the Army SECRET Internet Protocol Router 
Network security safeguards performed at each command within 
the Army, and apply corrective actions as necessary. 

(U) 7th SC(T) Comments 

(U) The Commander, 7th SC(T), disagreed, stating that the 7th SC(T) had responsibility 
circuits owned 





(U) Our Response 

(U) Based on the Commander's comments, we removed the Commander, 7th SC(T], as 
an addressee and added the Commander, Army Cyber Command and Second Army, to 
Recommendations A.2,a and A.2.b. Although the Commander stated thatffl^^E||^|i 


(U) Army Chief Information Officer Comments 

(TOUO) The Acting U.S. Army Cybersecurity Director, Headquarters Department of 
the Army, Chief Information Officer/G-6, responding on behalf of the Army Chief 
Information Officer, neither agreed nor disagreed, and stated that the Chief Information 
Officer would review the issue, identify policy gaps, and issue guidance to resolve the 
issues within of the date of the final report. In addition, the Acting Director 
stated that the Chief Information Officer would coordinate with Army Cyber Command 
and Second Army and, based on their review of Army security safeguards, identify and 
implement corrective actions withirUfm °f the date of the final report. Furthermore, 
the Acting Director stated that the Chief Information Officer would also coordinate with 
the Network Enterprise Technology Command to resolve issues with managing SIPRNet 
circuits within^^ of the date of the final report. 
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(U) Our Response 

(U) Comments from the Acting Director addressed all of the specifics of the 
recommendation, and no further comments are required. However, we request a 
copy of the resulting guidance when issued for review and acceptance before we can 
close the recommendation. 

(U) Army Cyber Command and Second Army Comments 
(U) Although not required to comment, the Deputy Commanding General, Operations, 
Army Cyber Command and Second Army, stated that Army Cyber Command and Second 
Army had command authority to direct SIPRNet operations. In addition, the Deputy 
Commanding General stated that Army Cyber Command and Second Army would work 
with the Army Chief Information Officer to develop policy. The Deputy Commanding . 
General stated that Army Cyber Command and Second Army would also work with local 
commands to 

(U) Our Response 

(U) Based on the Deputy Commanding General's comments, we added the Commander, 
Army Cyber Command and Second Army, as an addressee for Recommendations A.2.a 
and A.2.b. Comments from the Deputy Commanding General were responsive to the 
recommendation. If no further comments are provided, we will consider these 
comments as management's response to the final report. 

(U) Recommendation A.3 


(U) We recommend that the Commander, Network Enterprise Technology 
Command, and the Commander, Army Cyber Command and Second Army, in 
coordination with the Commander, 7th Signal Command (Theater);ffl 



a. (U) develop and implement procedures to verify that personnel 
and contractors requesting SECRET Internet Protocol Router 
Network access complete initial and annual security-related 
training and the North Atlantic Treaty Organization briefing as a 
condition for obtaining and maintaining access; and 
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b. (U) implement a process to identify and retain training records for 
personnel to support the requirements for accessing the SECRET 
Internet Protocol Router Network, 



a training plan to ensure required training was completed and properly annotated 
before granting SIPRNet access. stated 


developed the plan in March 2016. In addition, the jUjjjjg^ ^ 

WKKHtKKKKKKSA state d that worked with applicable 

security groups to correct its process to retain training records for personnel with 
SIPRNet access. 

(U) Our Response 

(U) Comments from addressed all of the 

specifics of the recommendation, and no further comments are required. However, we 
request a copy of the approved plan to retain training records before we can close 
the recommendation. 

(U) Management Comments Required 

(U) The Commander, Network Enterprise Technology Command: 

did not 

provide comments on a draft of this report. We request that the Commanders and 
Directors provide comments on the final report. 

(U) 7th SC(T) Comments 

(U) Although not required to comment, the Commander, 7th SC(T), stated that the 
Network Enterprise Technology Command should coordinate with the 7th SC(T) to 
confirm and enforce established procedures in the continental United States. The 
Commander stated that 7th SC(T) had procedures to verify required training was taken 
and that 7th SC(T) processed all network access requests and validated security 
clearance eligibility forj|jf|||j through the 7th SC(T) security office. The Commander 
stated that 7th SC(T) procedures ensured all security training, including annual security 
refresher, derivative classification, and NATO awareness training, was completed. 

Report No. DOD1G-2016-119 | 20 


SECRET 










Finding A 


(U] The Commander also stated that the 7th SC(T) security office retained security 
training records for^^j and directed the use of the Army Training and Certification 
Tracking System to track training required for accessing networks. The Commander 
stated that 7th SC(T] would ensure subordinate organizations complied with 
existing requirements. 

(U) Our Response 

(U) Based on the Commander's comments, we added the Commander, 7th SC(T), as an 
addressee for Recommendations A.3.a and A.3.b. Comments from the Commander were 
partially responsive. As previously reported, officials could not provide support 

that all 42 personnel in our sample completed the required training as a condition for 
receiving or maintaining SIPRNet access. Therefore, the existing requirements 
described by the Commander were not effective in tracking training completion and 
should be reviewed and updated. We request additional comments on how the 
Commander, 7th SC(T), plans to effectively track and retain training records. 

(U) Army Cyber Command and Second Army Comments 

(U) Although not required to comment, the Deputy Commanding General, 

Operations, Army Cyber Command and Second Army, stated that the Network 
Enterprise Technology Command would need to coordinate with the NECs and to 
implement corrective actions, which would result in circumventing several layers of , 
command. The Deputy Commanding General stated that Army Cyber Command and ' 
Second Army would take necessary actions to ensure subordinate commands 
implemented the recommendations within|mj| of the date of the final report. 

(U) Our Response 

(U) Based on the Deputy Commanding General's comments, we added the Commander, 
7th SC(T), as an addressee for Recommendation A.3. Comments from the Deputy 
Commanding General were responsive to the recommendation. If no further comments 
are provided, we will consider these comments as management's response to the 
final report. 


Report No. DODIG-2016-119 | 21 




SECRET 



Finding A 


(U) Recommendation A.4 

(FOUO) We recommend that the Commander, 7th Signal Command (Theater), 
verily whether subordinate commands implemented a SECRET Internet Protocol 
Router N etwork E|m§mi I 


(U) 7th SC(T) Comments 


(U) The Commander, 7th SC(T), agreed, and stated that the command issued an order 


requiring SIPRNet 



(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation, and no further comments are required. However, we request a copy 
of the order for our review and acceptance before we can close the recommendation. 


(U) Recommendation A.5 

(U) We recommend that thett^ 


a. (U) develop and implement procedures to verify that personnel 
and contractors requesting SECRET Internet Protocol Router 
Network access complete initial and annual security-related 
training and the North Atlantic Treaty Organization briefing as a 
condition for obtaining and maintaining access; and 

cwm m Comments 

(U) The Commander,responding for her command and on behalf 
of theHHHH^^MHB a § ree d, stating that the|||||^|||j^| 
mm an d the mm modified their process for requesting SIPRNet access to require the 
completion of initial security awareness training and the NATO briefing before the 
security manager signed DD Form 2875. 
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(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation, and no further comments are required. However, we request a copy 
of the modified and approved procedures for our review and acceptance before we can 
close the recommendation. 

b. (U) implement a process to identify and retain training records for 
personnel to support the requirements for accessing the SECRET 
Internet Protocol Router Network. 

Comments 

(U) The Commander, responding for her command and on behalf 

oftheH^^^^HI^H, a S reec l stating that the^^^mm 

and theHHU were now using the Total Employee Development System to track 
security awareness training completion and the Army Training and Certification 
Tracking System to track IA awareness training completion. The Commander stated 
that SIPRNet access would not be granted until training completion was verified and the 
certificates were loaded in the systems of record. 

(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation, and no further comments are required. However, we request a 
copy of the approved procedures for retaining training records for our review and 
acceptance before we can close the recommendation. 

(U) Recommendation A.6 

( FOU O) We recommend that 


(U) Management Comments Required 

(U) did not provide comments on a draft of this report 

We request that the Director provide comments on the final report. 
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(U) 7th SC(T) Comments 

(U] Although not required to comment, the Commander, 7th SC(T], stated that Army 
Cyber Command and Second Army should coordinate with the Network Enterprise 
Technology Command and the theater signal commands to establish and implement 
procedures Army-wide, The Commander stated that 7th SC(T) and subordinate 
organizations 


In addition, the Commander stated that 7th SC(T) was 


transitioning to the 


(UX7>(E) 



(V) Our Response 

(U) We acknowledge the Commander's comments, but did not redirect the 
recommendation to a higher-level command because the NECs need to be involved 
in developing and implementing corrective actions specific to their organizations. 
We agree with the Commander that deficiencies identified in the report may require 
Army-wide action, which is why we included a recommendation for the Army Chief 
Information Officer and Army Cyber Command and Second Army to review Army 
SIPRNet safeguards at each command and apply corrective actions as necessary. 


(U) Recommendation A.7 

(U) We recommend that the in coordination 

with the Commander, Army Cyber Command and Second Army: 



d. (U) develop and implement procedures to verily that access forms 
are properly completed before granting access to the SECRET 
Internet Protocol Router Network. 
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(U) Management Comments Required 

(u) did not provide comments on a draft of this report. We request 

that the Director provide comments on the final report. : 

(U) 7th SC(T) Comments 

(U) Although not required to comment, the Commander, 7th SC(T), stated that Army 
Cyber Command and Second Army should coordinate with the Network Enterprise 
Technology Command and the theater signal commands to establish and implement 
procedures Army-wide. The Commander stated that a 7th SC(T) regulation establishes 
a framework for managing vulnerabilities and includes procedures for mitigating and 
correcting vulnerabilities. In addition, the Commander stated that 7th SC(T) and 
subordinate organizations 



office validated security clearance and access eligibility as part of the process for 
completing access forms. 


(U) Our Response 

(U) We agree with the Commander's comments, and added the Commander, Army 
Cyber Command and Second Army, as an addressee for Recommendations A.7.a, A.7.b, 
A.7.c, and A.7d. However, we did not redirect the recommendation solely to a 
higher-level command because needs to be involved in developing and 
implementing corrective actions specific to its organization. We agree with the 
Commander that deficiencies identified in the report may require Army-wide action, 
which is why we included a recommendation for the Army Chief Information Officer 
and Army Cyber Command and Second Army to review Army SIPRNet safeguards at ; 
each command and apply corrective actions as necessary. Although the Commander 
stated the 7th SC(T) security office validated access forms, we previously reported that 
30 of the 42 SIPRNet access request forms reviewed for||j|j||l were not approved by a 
security manager. Without the security manager's signature, there is no assurance that 
security clearance and access eligibility was validated. 
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(U) Army Cyber Command and Second Army Comments 

(U) Although not required to comment, the Deputy Commanding General, Operations, 

Army Cyber Command and Second Army, stated 

The Deputy Commanding General stated that 
Army Cyber Command and Second Army would take necessary actions to ensure 
subordinate commands implemented the recommendations within HBil of the date 
of the final report. 

(U) Our Response 

(U) Based on the Deputy Commanding General's comments, we added Army Cyber 
Command and Second Army as an addressee for Recommendations A.7.a, A.7.b, A.7.c, 
and A.7.d. Comments from the Deputy Commanding General were responsive to the 
recommendations. If no further comments are provided, we will consider these 
comments as management's response to the final report. 

(U) Recommendation A.8 

(U) We recommend that 


a. 


(F0UO) develop and implement procedures mm 


required by DoD guidance; 


Comments 


mm neither agreed nor disagreed, stating thatdeveloped an 
account management policy and implemented a processj^^^^^m^^^^^^ 
mm and that this process was defined in standard operating procedures. 
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(U) Our Response 


(U) Comments from vTf '• 

| did 

not address the specifics of the recommendation. The standard operating procedure 

did not include a process for 


procedures address a process 


Therefore, we request that|j|^^mm|| 


additional comments 



b. (U) develop and implement procedures to verify that access forms 
are properly completed before granting access to the SECRET 
Internet Protocol Router Network; and 

c. (U) develop and implement procedures to verify personnel and 
contractors requesting SECRET Internet Protocol Router Network 
access complete the North Atlantic Treaty Organization briefing as 
a condition for obtaining and maintaining access. 

Comments 


1111111 neither agreed nor disagreed, stating that the command now required all 
access request forms to be reviewed and verified for accuracy and completeness. The 



stated that 


defined the processes in standard operating procedures. 


(U) Our Response 

(U) Comments from the| | l |j| j|l|f|j|^^ addressed 

all of the specifics of the recommendation, and no further comments are required. 
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(U) Recommendation A. 9 



(U) 



□ 

neither agreed nor disagreed, stating that 

bn 7 )( 1 ) V 



in accordance with 


Defense Information Systems Agency Security Technical Implementation Guides. 


(b)(7)(E) 


■(b)(7)(E) 



(U) Our Response 

(U) Comments from||||||^|mm|[^m^^^^^^H|[ addressed all of the 
specifics of the recommendation, and no further comments are required. 


b. (FQUO) develop and implement procedures tolH . > : 

required by DoD guidance; 



required by DoD guidance, and 

(b)(7)(E) 

as required by 


Army guidance; 
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(W 

(FOUO) 


Comments 


, neither agreed nor disagreed, stating that the 


b)(7)(E) 


issued an 


(b)(7)(E) 



■(b) (7){E) 


stated that since 


January 2016, 


(b)(7)(E) 


has followed the policy, which also requires 


(U) Our Response 

(U) Comments from the Garrison Commander and the Director addressed all of the 
specifics of the recommendation, and no further comments are required. 

d. (FOUO) I 


m 

(FOUO) ' 


Comments 


, neither agreed nor disagreed, stating that the 


(b)(7)(E) 


stated that 


the information systems security manager 
accordance with Defense Information Systems Agency Security Technical 
Implementation Guide requirements. 

(U) Our Response 

(U) Comments from] 

specifics of the recommendation, and no further comments are required. However, we 
request a copy of the approved procedures for reviewing audit logs before we close 
the recommendation. 


addressed all of the 


e. (U) develop and implement procedures to verify that access forms 
are properly completed before granting access to the SECRET 
Internet Protocol Router Network. 
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(U)Comments 

neither agreed nor disagreed, stating that the 
implemented a policy for accessing the network that requires 
alltraining and access request forms to be complete and correct before granting 
access to a user. 

(U) Our Response 

(U) Comments addressed all of the 

specifics of the recommendation, and no further comments are required. However, we 
request a copy of the approved policy before we can close the recommendation. 

(U) 7th SC(T) Comments 

(U) Although not required to comment, the Commander, 7th SC(T), stated that Army 
Cyber Command and Second Army should coordinate with the Network Enterprise 
Technology Command to establish and implement procedures Army-wide. 

(U) Our Response 

(U) We acknowledge the Commander's comments, but did not redirect the 
recommendation to a higher-level command because the NECs need to be involved in 
developing and implementing corrective actions specific to their organizations. We 
agree with the Commander that deficiencies identified in the report may require 
Army-wide action, which is why we included a recommendation for the Army Chief 
Information Officer and Army Cyber Command and Second Army to review Army 
SIPRNet safeguards at each command and apply corrective actions as necessary. 

(U) Recommendation A. 10 

(U) We recommend that thej9U9HHH^||h 

develop and implement procedures to verify that access forms are properly 
completed before granting access to the SECRET Internet Protocol 
Router Network. 

(U) Management Comments Required 

mH did not provide comments on a draft of the 
report. We request that themmU provide comments on the final report. 
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(U) 7th SC(T) Comments 

(U) Although not required to comment; the Commander, 7th SC(T), stated that the 
7th SC(T) security office validated security clearance and access eligibility as part of its 
process for completing access request forms. 

(U) Our Response 

(U) We acknowledge the Commander's comments; however, the 7th SC(T) did not 
validate clearances for non-7th SC(T] personnel with SIPRNet access provided by the' 
NECs. Although the Commander stated the 7th SC(T) security office validated access 
forms, IfSMBHI could not provide 21 of the 44 SIPRNet access forms requested. 
Without signed access request forms, there is no assurance that personnel were 
properly validated or approved for SIPRNet access. : 

(U) Recommendation A. 11 

(U) We recommend that the 

develop and implement procedures to verify that access 
forms are properly completed before granting access to the SECRET Internet 
Protocol Router Network. 



properly completed. 

(U) Our Response 

(U) Comments from the Director^^^^f^^^^f^m^, addressed all of the 
specifics of the recommendation, and no further comments are required. 


(U) Recommendation A. 12 



required by DoD guidance; 
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c. (U) develop and implement procedures to verify that access forms 
are properly completed before granting access to the SECRET 
Internet Protocol Router Network. 


(UJ Management Comments Required 

did not provide comments on a draft of this 
report. We request that the Director provide comments on the final report. 

(U) 7th SC(T) Comments 

(U) Although not required to comment, the Commander, 7th SC(T], stated that 
Ariny Cyber Command and Second Army should coordinate with the Network 
Enterprise Technology Command to establish and implement procedures Army-wide. 
In addition, the Commander suggested combining Recommendations A.12.a, A.12.b, 
and A.12.C with Recommendations A.9.a, A.9.b, A.9.c, and A,9.d. 


(U) Our Response 

(U) We acknowledge the Commander's comments, but did not redirect the 
recommendation to a higher-level command or combine the recommendations because 
the NECs need to be involved in developing and implementing corrective actions 
specific to their organizations. We agree with the Commander that deficiencies 
identified in the report may require Army-wide action, which is why we included a 
recommendation for the Army Chief Information Officer and Army Cyber Command 
and Second Army to review Army SIPRNet safeguards at each command and apply 
corrective actions as necessary. 

(U) Army Cyber Command and Second Army Comments 
flFOUO) Although not required to comment, the Deputy Commanding General, 
Operations, Army Cyber Command and Second Army, stated that Army Cyber Command 
and Second Army agreed with the findings and recommendations. The Deputy 
Commanding General stated, 
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Additionally, the Deputy Commanding 
General stated that Army Cyber Command and Second Army 


The Deputy Commanding General stated that the Commander, 7th SC(T], was in a better 
position to standardize practices and direct corrective actions, but also stated that Army 
Cyber Command and Second Army would take necessary action to ensure that 
subordinate commands implemented the recommendations within of the date of 
the final report. Furthermore, the Deputy Commanding General acknowledged that 
merely correcting and reporting on the findings identified in the DoD Inspector General 
report was inefficient and ineffective in addressing SIPRNet security deficiencies. 


(U) Our Response 

We agree with the Deputy Commanding General's comments, but did not 
redirect all recommendations in the report to higher-level commands. Instead, 
we added the Commander, Army Cyber Command and Second Army, and the 
Commander, 7th SC(T), to the recommendations when appropriate. We acknowledge 
that 7th SC(T) may be in a better position to standardize procedures and oversee the 
implementation of corrective actions. Although the Deputy Commanding General 
stated it was inappropriate for NECs to answer the recommendations, the NECs need : 
to be involved in developing and implementing corrective actions specific to their 
organizations. We also agree with the Deputy Commanding General 

which is why we included a recommendation for the Army 
Chief Information Officer and Army Cyber Command and Second Army to review Army 
SIPRNet safeguards at each command and apply corrective actions as necessary. 
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b) (7)(E) 


(b)(7)(E) 


(b)(7)(E) 


(b)(7)(E) 




Specifically: 


m(b) (7)(h) 
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in coordination with the Division Chief, Army Spectrum 


(U) 31 National Security Telecommunications and Information Systems Security Instruction 7003, "Protected Distribution 
Systems," December 13,1996. 

(U) 32 The Army Spectrum Management Office is the headquarters for the Frequency Management group. 
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(jF ' Q ' UO) Management Office, 

'te^* :,: as required by the National Security 

Telecommunications and Information Systems Security Instruction 7003, "Protected 
Distribution Systems," December 13,1996. 



(U) SIPRNet Physical Security Safeguards 



(U) 33 DoD Manual 5200.01, volume 3, "DoD Information Security Program: Protection of Classified Information," 

March 19, 2013. 

(U) 34 Tactical Local Area Network Encryption (TACLANE) is an in-line network encryptorfor development in DoD tactical and 
strategic networks. TheTACLANE is used to encrypt classified network traffic. The TACLANE is connected to SIPRNet 


|<b)(7)(E) 
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(U) Two-Factor Authentication 
































Finding B 


(U) End-of-Day Security Checks 

(FOUO) 



(rOUOj DoD must defend its information and must do more to secure its cyber 
infrastructure. 1 
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(U) Recommendations, Management Comments, 
and Our Response 

(U) Renumbered Recommendations 

(U) As a result of management comments, we renumbered draft Recommendation B.l.a 
and B.l.b as Recommendation B.3.a, B.3.b, B.4.a, and B.4.b; draft Recommendation B.2.a 
and B.2.b as Recommendation B.l.a and B.l.b; draft Recommendation B.3 as 
Recommendation B.7; draft Recommendation B.4 as Recommendation B.2; draft 
Recommendation B.5 as Recommendation B.7; draft Recommendation B,6.a and B.6.b,as 
Recommendations B.5.a and B.S.b; draft Recommendation B.7 as Recommendation B.6; 
and draft Recommendation B.8 as Recommendation B.4.c. 


(U) Recommendation B.l 

(U) We recommend that 


ct. U U UJ 


b. (U) develop and implement a training program to ensure personnel 
understand their responsibilities 


Comments 



Furthermore, the Commander stated that the changes t 
process for managing access (as part of Recommendation A.5) would ensure personnel 
were aware of their responsibilities before being granted SIPRNet access. j 
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(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation, and no further comments are required. 

(U) Recommendation B.2 


(U) We recommend that the 

(b)(7)(E) m 

: 

i 

develop and implement a training program to 


ensure personnel understand their responsibilities 



Comments 


neither agreed nor disagreed, stating that the 
worked with applicable security groups to ensure that 


1(b) (7)(E) 



(U) Our Response 
(U) Comments from^ 
specifics of the recommendation; and no further comments are required. 

(U) Recommendation B.3 

(U) We recommend that the 


addressed all of the 
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b. (U) develop and implement a training program to ensure personnel 
understand their responsibilities] 


(U) Management Comments Required 

(U)|_ 

comments on a draft of this report. We request that the J 
| provide comments on the final report 

(U) Recommendation BA 

(U) We recommend that 


did not provide 



eta 


|; and 


b. (U) develop and implement a training program to ensure personnel 
understand their responsibilities] 


c. f FOUO - ) 


(U) Management Comments Required 

(U)| 

did not provide comments on a draft of this report. We request that the j_ 

provide comments on the final report. 

(U) Recommendation B.5 

(U) We recommend that the Division Chief, Army Spectrum Management Office, in 
coordination with the] 



a ■ ll U u U I 
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b. (FOLIO) 


(U) Management Comments Required 


report. We request that 


did not provide comments on a draft of this 
provide comments on the final report. 


(U) 7th SC(T) Comments 

(U) Although not required to comment, the Commander, 7th SC(T), stated that thtjl 



(U) Our Response 

(U) We agree with the Commander that 



(U) Army Spectrum Management Office Comments 

(U) Although not required to comment, the Division Chief, Army Spectrum Management 
Office, Headquarters, Department of the Army, Chief Information Officer/G-6, neither 
agreed nor disagreed, stating that 

The Division Chief stated that the Army Spectrum Management 

Office was 


(U) ? 8 Committee on National Security Systems Instruction 7003, "Protected Distribution Systems," September 2015. 

. Report No. DODIG-2016-119 1 42 


■ SECRET 


















Finding B 


(U) Our Response 

(U) Comments from the Division Chief partially addressed the specifics of the 
recommendation. The comments did not address 

We request that the 

Division Chief provide additional comments 


(U) Recommendation B.6 


(U) We recommend that 


a 


(U) Management Comments Required 


(u) did 

not provide comments on a draft of this report. We request that 



provide comments on the final report. 


(U) Recommendation B.7 

(FOUO) We recommend the ^^9 


(U) Management Comments Required 

Wjggg^HHB B—i—— 

did not provide comments on a draft of this report. We request 
that theprovide comments on the final report. 


Report No. DODIG-2016-119 j 43 



















Finding B 



(U) 7th SC(T) Comments 

(U) Although not required to comment, the Commander, 7th SC(T], stated that 
recommendations should be directed to the Department of the Army, Intelligence 
Directorate, to coordinate with Army Cyber Command and Second Army and the 
Network Enterprise Technology Command to establish and implement procedures 
Army-wide. The Commander stated 



that the report did not identify 


He stated that DoD Manual 5200.01, 


volume 3, 39 


The Commander stated that all non-open storage 


areas were restricted from openly storing classified information. He stated that 


(b) <7){E) 


com pked with the requirements of 

DoD Manual 5200.01, volume 3. In addition, he stated that 7th SC[T) was awaiting 
guidance, policy, or procedures from Department of the Army, Intelligence Directorate, 

In the Commander 

also stated that 7th SC(T) Intelligence Directorate published a SIPRNet training and 
maintenance user guide that was available to all 7th SC(T) units. 


(U) Our Response 

(U) We acknowledge the Commander's comments, but did not redirect the 
recommendation to a higher-level command becausem|| and the NECs need 
to be involved in developing and implementing corrective actions specific to 
their organizations. 

(U) We agree the report did not specifically identify the areas requirin^pj| py|^S 
mm|. We also acknowledge and agree that DoD Manual 5200.01, volume 3 40 
applies only to open storage areas. 


(U) 99 DoD Manual 5200.01, volume 3, "DoD Information Security Program: Protection of Classified Information," 

; March 19, 2013. 

(U) 40 The Commanding General referenced the appendix to enclosure 3, paragraph 3.a.(2). 
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according to the Defense Information Systems Agency 
Security Technical Implementation Guide. 41 The areas where we identified deficiencies 


b)(7){E) 


b) (7)(E) 





(U) Installation Management Command Comments 

(U) Although not required to comment; the Deputy Commanding General; Installation; 
Management Command; stated that 


In addition; the Deputy Commanding General stated 


Deputy Commanding General recommended redirecting the recommendations to other 
responsible commands instead of the Garrison Commanders based on requirements in 
Army Regulations 380-5; "Department of the Army Information Security Program/' 
September 29, 2000; and 25-1; "Army Information Technology," June 25, 2013. = 

(U) Our Response 

(U) Although the Deputy Commanding General suggested removing Garrison 
Commanders from the recommendations and redirecting them to other commands, 
we did not remove the Garrison Commanders from the recommendations. We 
acknowledge that the Garrison Commanders! 


In responding to a 

draft of this report, the Garrison Commander, 


In addition, the 

Commanding General, Operations, Army Cyber Command and Second Army, provided 
comments on a draft of the report stating that the command would ensure subordinate 
commands and organizations implemented corrective actions within of the date 
of the final report. 


(U) 41 Defense information Systems Agency, "Access Control In Support Of Information Systems," Security Technical 
Implementation Guide, version 2, release 3, October 29, 2010. 
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(U) Army Cyber Command and Second Army Comments 
£P 6U0) Although not required to comment, the Deputy Commanding General, 
Operations, Army Cyber Command and Second Army, stated that Army Cyber Command 
and Second Army would take necessary actions to ensure subordinate commands 
implemented the recommendations requiring NECs to coordinate with Garrison 
Commanders within mm of the date of the final report. In addition, the Deputy 

Commanding General stated 

should be addressed by the Commander, Installation Management Command. 

(U) Our Response 

(FQUO) We commend Army Cyber Command and Second Army for taking the lead in 
ensuring corrective actions are taken to address the reported deficiencies. We also 

that 

command assistance to correct. 
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(U) Appendix A 


(U) We conducted this performance audit from September 2015 through May 2016 in 
accordance with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, appropriate evidence . 
to provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 


(UJ We reviewed the Land Warrior Network managed by 7th SC(T) and locations 
independent of Land Warrior Network. We nonstatistically selected a sample of 



Army commands properly implemented logical and physical security safeguards to 
protect SIPRNet access points. The locations chosen represented different SIPRNet 
management structures. We reviewed logical and physical security safeguards at 
each location and the certification and accreditation packages for each network. 

(U) We interviewed personnel at: 

• (U] Army Chief Information Officer/G6 to discuss 
SIPRNet responsibilities; 

• (U) Army Cyber Command and Second Army to discuss SIPRNet 


1(b)(7)(E) 


• (U) Army Network Enterprise Technology Command to discuss 

SIPRNet management and responsibilities; 


(U) 7th SC(T) to discuss SIPRNet management; 


to discuss! 


(U) Regional NEC at j 


to discuss! 


I; and 
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• (U) 


|<b>(7)(E) 

(b)(7)(E) 


and required security training. 

At the locations visited, we performed various tests, to include: 

o (U) observing physical security for SIPRNet access points; 

o (U) performing control tests for write privileges, background 
checks, and the completion of DD Form 2875, DD Form 2842, 
and nondisclosure agreements; and 

o (U] selecting a random 42 sample of accounts to perform control 
tests as follows: 


• (U) 42 accounts from a universe of^JSIPRNet 
accounts atj|jf||| 

• (U) 33 accounts from a universe of JJSIPRNet 
accounts 

• [U) 44 accounts from a universe ofJJSIPRNet 
accounts at^^m^; 

• (U) 43 accounts from a universe of^| SIPRNet 
accounts atjmmi||||^^^y andUBH ^^B 

• (U) 21 accounts from a universe of^ SIPRNet 
accounts at^mjjj^mm^^; and 

• (U) 35 accounts from a universe of^| SIPRNet 
accounts at 


(U) 42 We randomized the universe to reduce bias during sample selection. 
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(U) These decision rules applied for our control tests: if the sample had no errors, the 
control passed. If the sample had one or more errors, the control failed. For our control 
tests we used the sample size given in Figure 3 of the Journal of Public Inquiry, 
Fall/Winter 2012-2013, "Statistical Sampling: Choosing the Right Sample Size." 43 


(FOUQ) 



(U) In addition, we tested whether the DD Forms 2875 were appropriately completed 
and approved by verifying whether: 

• (U) the user, IA Officer, and security manager signed the form; 

• (U) IA training was completed within a year of the IA manager 
signature; and 

• (U) boxes were checked to confirm that the user had a need-to-know : 
and authorized access. 


(U) Furthermore, we tested whether DD Forms 2842 were appropriately completed and 
approved by verifying that the user and registration official signed and dated the form. 
To determine whether the NECs 
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(U) Use of Computer-Prc 

(FOUQ) We used computer-processed data from the Assured Compliance 
Assessment Solution, a DoD tool managed by Defense Information Systems Agency 
in coordination with the Army Network Enterprise Technology Command. We obtained 
and analyzed Assured Compliance Assessment Solution vulnerability scans from||^| 

We used the data 

to determine whether commandsThe 
Assured Compliance Assessment Solution 

We interviewed personnel fromj||||H 


|m|| included in the vulnerability scans. We determined that Assured 
Compliance Assessment Solution vulnerability scans were sufficiently reliable for 
the purpose of this report. 



(FOUO) We obtained and analyzed data from the Joint Personnel Adjudication System to 
determine whether personnel obtained background checks and signed nondisclosure 
agreements. We interviewed security managers about the data contained in the Joint 
Personnel Adjudication System and observed the managers querying the data. We 
determined that these data were sufficiently reliable for the purpose of this report. 
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(U) Use of Technical Assistance 

(U] We obtained support from the DoD Office of Inspector General Quantitative 
Methods Division to develop a random sample for review. We obtained support from 
the DoD Office of Inspector General Technical Assessment Directorate to define SIPRNet 
access points. 

(U) Prior Coverage 

(U) No prior coverage has been conducted on Army SIPRNet access points during the 
last 5 years. 
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(U) The networks we reviewed were granted authorizations to operate under DIACAP. 
The authorizations were valid for up to 3 years until the networks were recertified. 
According to the RMF, 44 system owners were required to develop a strategy and 
schedule for transitioning to RMF if a system had a current DIACAP or equivalent 
accreditation decision or if the system owners began executing the DIACAP 
Implementation Plan. The schedule for transitioning to RMF must not exceed the 
system reauthorization timeline. The authorizations to operate at each of the Army 
locations visited were valid under DIACAP as follows: 

• (II) Hi-April 1, 2016; 

- August 14, 2016; 

; • - November 12,2017; 

• - July 16, 2017; 45 

• -April 19, 2018; and 

- November 13, 2017. 


(U) f 4 DoD Instruc tion 8510.01, "Risk Man agement Framework (RMF) for DoD Information Technology (IT)/' March 12,2014. 

(U) 45 B§m3 are both included ir^U^Uj^n Authorization to Operate. 
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(U] we received and reviewed all 42 requested DD Forms 2875 or the similar 

form (jjjjfflll officials stated they used FH Form 25-29-R-E, "User Access Request and 
Responsibilities Statement/' before the DD Form 2875 was created). Of the 42 forms 
reviewed, 5 were properly completed and 37 had errors. Specifically: 46 


© (U) 15 forms were missing the initial IA training date; 

© (U) 4 forms were not signed by the user; 

® (U) 6 forms were signed by the IA manager before the user signed the form; 


© (U) 9 forms were missing an IA manager signature; 


© (U) 1 form was signed by the IA manager over a year after the user signed 

the form; 


® (U) 30 forms were missing a security manager signature; 

© (U) 20 forms did not indicate that access to classified information was 

required; and 

© (U) 16 forms did not indicate that the user had a need-to-know. 

(U) At Hi we received and reviewed 31 of the 42 requested DD Forms 2842. Of the 
31 forms reviewed, 4 were properly completed and 27 had errors. Specifically, 27 were 
not witnessed by the registration official as required. 


(U) 46 Some forms had multiple errors, so the total number of individual errors may not equal the total number of forms 
with errors. 
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(u)wm 

CU) MM we received and reviewed 35 of the 35 requested DD Forms 2875. 

Of the 35 forms reviewed, 26 were properly completed and 9 had errors. Specifically: 

• (U] 1 form did not have a date with the user signature; 

• (U) 1 form was missing the security manager signature; 

• (U) 2 forms included initial IA training dates that were after the date the user 
signed the form; and 

: • (U) 5 forms did not indicate that the user had a need-to-know. 

(U] AtHm we received and reviewed 32 of the 35 requested DD Forms 2842. 

Of the 32 forms reviewed, 31 were properly completed and 1 had an error. Specifically, 
the registration official signed the form on a different day than the user. 



so we could not assess their completeness or accuracy. 

(U)Ati|g^| we received 29 of the 33 requested DD Forms 2842. Of the 
29: forms reviewed, 7 were properly completed and 22 had errors. Specifically: 

• (U) 1 form was not filled out until after we arrived onsite on 
; January 4, 2016; and 

• (U) 21 forms were not witnessed by the registration official as 
required. Specifically: 

o (U) 1 form was not signed by the registration official; 

o (U] 2 forms were signed 2 months after the user signed the form 
and not until after we arrived onsite on January 4, 2016; and 

o (U) 18 forms were signed 1 or more days after the user signed 
the form. 
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DD Forms 2875. Of the 23 forms reviewed; 7 were properly completed and 
16 had errors. Specifically: 

® (U) 7 forms did not pertain to classified information systems (1 form had 

"classified" and "SIPRNet" access hand-written on the mostly-typed form]; 

© (U) 2 forms did not indicate that the user had a need-to-know; 

© (U) 1 form was not signed by the IA officer; 

® (U) 1 form included an initial IA training date that was after the date the 

user signed the form; and 

® (U) 8 forms were signed by the IA officer after we arrived onsite. 


(U) At| fl | ||flffm^^| we received and reviewed 18 of the 44 requested 
DD Forms 2842. Of the 18 forms reviewed, all were properly completed. 



DD Forms 2875. Of the 21 forms reviewed, 18 were properly completed and 
3 had errors. Specifically: 

© (U) 1 form included an IA training date that was more than a year before 

the user signed the form; and 

© (U) 2 forms did not indicate that the user had a need-to-know. 

(U)AfHg^^H we received and reviewed 19 of the 21 requested 

DD Forms 2842. Of the 19 forms reviewed, 8 were properly completed and 
11 had errors. Specifically: 

® (U) 1 form was not signed until after we received the sample of users 

on February 3, 2016; 
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• (U) 2 forms were not signed by the registration official to witness the 

user's signature; and 


• (U) 8 forms were signed by the registration official on a different day 

than the user. 



DD Forms 2875. Of the 8 forms reviewed; none were properly completed. 
Specifically; all 8 forms were for access to unclassified systems and not the SIPRNet. 

MAtwmm we received and reviewed 11 of the 43 requested 
DD Forms 2842. Of the 11 forms reviewed, 9 were properly completed and 2 had 
errors. Specifically, one form was not signed by the user and the other form was 
signed by the registration official on a different day than the user. 
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U) Appendix D 



ted Traintnj 


(U) At ml we requested training records for all 42 users in the sample. We found: 


® (U) 1 user did not complete initial IA training and 7 users did not properly 

complete initial IA training, 

® (U) all users completed annual IA training, 

* (U) 1 user completed initial security awareness training, 

® (U) all users completed annual security awareness training, and 

• (U) 11 users did not complete the NATO briefing properly. 


fU) At* 


we requested training records for all 35 users in the sample. We found: 


® (U) all users completed initial IA training, 

» (U) all users completed annual IA training, 

® (U) 12 users did not complete initial security awareness training, 

• (U) all users complete annual security awareness training, and 

• (U) none of the users completed the NATO briefing. 
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We found: 

• (U) cou ld not provide training records to support that users 

complete initial IA training before being granted SIPRNet access, 

• (U) all users completed annual IA training, 

: • (U) 25 users did not complete initial security awareness training and 6 users did 

not properly complete initial security awareness training, 

• (U) 18 users did not complete annual security awareness training and 8 users 
; did not properly complete annual security awareness training, and 

• (U) 15 users did not complete the NATO briefing and 12 users did not properly 
complete the NATO briefing. 



We found: 

; * (U) HUM cou ld not provide training records to support that users 

complete initial IA training before being granted SIPRNet access, 

• (U) 24 users did not complete annual IA training, 

• (U) 21 users did not complete initial security awareness training, 

• (U} 37 users did not complete annual security awareness training, and 

• (U) 17 users did not complete the NATO briefing. 
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sample. We found: 

© (U) all users completed initial IA training, 

© (U) all users completed annual IA training, 

© (U) none of the users completed initial security awareness training, 

© (U) 1 user did not properly complete annual security awareness training, and 

© (U) 1 user did not complete the NATO briefing and 1 user did not properly 

complete the NATO briefing. 



We found: 

© (U) none of the users completed initial IA training, 

© (U) 30 users did not complete annual IA training, 


• (U) 36 users did not complete initial security awareness training and 1 user did 

not properly complete initial security awareness training, 

© (U) 34 users did not complete annual security awareness training and 3 users; 

did not properly complete annual security awareness training, and 

© (U] 32 users did not complete the NATO briefing and 6 users did not properly 

complete, the NATO briefing. 
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(U) Appendix E 

(U) Criteria 

(U) We used the following guidance throughout the audit. 

(U) National Security Telecommunications and Information 
Systems Security Committee 

(U) National Security Telecommunications and Information Systems Security 
Instruction 7003, "Protected Distribution Systems,” December 13,1996, outlines 
the approval authority, standards, and guidance for PDS design, installation, 
and maintenance. 

(U) Chairman of the Joint Chiefs of Staff 

(U) Chairman of the Joint Chiefs of Staff Instruction 6510.01F, "Information 
Assurance (IA) and Support to Computer Network Defense (CNDJ,” February 9,2011, 
provides joint policy and responsibilities for IA and support to computer 
network defense. 

(U) DoD 

(U} DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD 
Information Technology (IT},” March 12, 2014, provides guidance for reciprocal 
acceptance of authorization decisions and artifacts within DoD, and between DoD and 
other Federal agencies, for the authorization and connection of information systems. 

(U) DoD Instruction 8510.01, "DoD Information Assurance Certification and 
Accreditation Process (DIACAP),” November 28, 2007, establishes a certification and 
accreditation process to implement IA capabilities and services and provide visibility 
over accreditation decisions for operating DoD information systems. This instruction 
was reissued and renamed the RMF. 
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(U) DoD Manual 5200.01, volume 1, "DoD Information Security Program: Overview, : 
Classification, and Declassification," February 24, 2012, implements policy, assigns 
responsibilities, and provides procedures for designating, marking, protecting, and 
disseminating controlled unclassified information and classified information. DoD 
Manual 5200.01, volume 3, "DoD Information Security Program: Protection of Classified 
Information," March 19, 2013, provides guidance for safeguarding, storing, destroying, 
transmitting, and transporting classified information and identifies security education 
and training requirements and processes for handling security violations and 
compromised classified information. 

(U) Army 

(U) Army Regulation 25-2 "Information Assurance," March 23, 2009, establishes 
IA policy, roles, and responsibilities. 

(U) Defense Information Systems Agency 

(IF) Defense Information Systems Agency "Enclave" Security Technical Implementation 
Guide, Version 4, Release 4, January 9, 2014, provides assistance to meet minimum 
requirements, standards, controls, and options for securing an enclave as a whole and 
provides technical guidance to secure specific enclave components in detail. 

(U) Defense Information Systems Agency, "Access Control in Support of Information 
Systems," Security Technical Implementation Guide, Version 2, Release 3, 

October 29, 2010, provides details for a security framework to use when planning 
and selecting access controls for protecting DoD sensitive and classified information. 

It provides background and context for access control issues including the process 
of identifying, authenticating, and authorizing access to protected assets. 
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(U) Management Comments 

__ __ __________ 

(U) 7th Signal Command (Theater) Comments 


UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE 
DEPARTMENT OF THE ARMY 

HEADQUARTERS, 7 " SIGNAL COMMAND (THEATER) 

423 22^ STREET • BUILDING 21716 
FORT GORDON. GEORGIA 30905-6832 


1- ZolC, 


MEMORANDUM THRU Commanding General, U S, Army Network Enterprise 
Technology Command, 2133 Cushing Street, Fort Huachuca, AZ 65613-7070 

THRU Commanding General, U.S. Army Cyber Command and Second Army, 8825 
Beulah Street, Fort Belvoir, VA 22350-1500 

FOR Director, Department of Defense, Office of Inspector General, 4800 Mark Center 
Drive, Alexandria, VA 22350-1500 

SUBJECT: 7 th SC(T) Command Reply to the SIPRNet Access Points Audit Report 


1. References. 

a, (U) Memorandum, Department of Defense Office of Inspector General (DoDIG), 
Alexandria, VA, 24 May 16, Subject: Command Comments to Draft Report on Army 
Commands Need to Improve Logical and Physical Security Safeguards That Protect 
SIPRNet Access Points 

b, (U) Memorandum, U.S. Army Cyber Command and Second Army, Fort Belvoir, 
VA, 27 Jun 16, Subject: Draft Report on Army Commands Need to Improve Logical and 
Physical Security Safeguards That Protect SIPRNet Access Points 

2. (U) Purpose, The 7 th Signal Command (Theater) Command provides a response to 
DoDIG findings and recommendations in the enclosure. 

3. (U) Audit Objective. To determine whether the Army effectively protected SECRET 
Internet Protocol Router Network (SIPRNet) access points. The DoDIG sampled the 
security safeguards protecting SIPRNet access points at selected Army locations. 

4 (U) Responsible agencies: 

a, (U) The DoDIG Audit Team incorrectly identified the responsible agency for 
several recommendations. Additionally, the team directed recommendations to a level 
that would only affect one installation. The goal of the audit was to improve safeguards 
across the Army. 



NETC-SFC-CG 


UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE 
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7th Signal Command (Theater) Comments (cont'd) 


UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE 

NETC-SFC-CG 

SUBJECT 7 th SC(T) Command Reply to the SIPRNet Access Points Audit Report 


b. (U) In accordance with Reference b, the 7 <h Signal Command (Theater) agrees 
with, and defers to Army Cyber Command's comments. The DoDIG recommendations 
should target Command-level organizations to address identified problems throughout 
the Army. The enclosure outlines specific details. 


5. (U) The 7 th Signal Command (Theater) will direct corrective actions to subordinates 
for appropriate implementation. 


6. (U) The 7 ,h Signal Command (Theater) will provide oversight to ensure enforcement 
of procedures for SIPRNet accountability and protection. 



,(b) (6) 


Enel; 7 ,h SC(T) Command Reply f© 


CF 

NETCOM Internal Review Section 
7 th SC(T) ACofS G3 
7 th SC(T) ACofS G2 


2 

UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE 
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(U) 7th Signal Command (Theater) Comments (cont'd) 

Final Report 

acoRcr Reference 

Enclosure to 7 th SC(T) Reply Memorandum to the SIPRNet Access Point Audit 


7 ,h Signal Command Reply to: 

DoDIG Draft Report on Army Commands Need to Improve Logical and Physical 
Security Safeguards That Protect SIPRNet Access Points 


DoDIG Audit Objective 

(U) Determine whether the Army effectively protected SECRET Internet Protocol Router 
Network (SIPRNet) access points . DoDIG sampled the security safeguards protecting 
SIPRNet access points at selected Amoy locations. 


DoDIG Findings and Recommendations 


FINDINGS-A : DoDIG identified Army-wide internal control weaknesses for managing 
SIPRNet circuits: 



(U) SIPRNet user access request forms were not completed, or completed incorrectly 
(U) Required in itial and refresher Sec urity Training was not conducted or completed 


DoDIG recommendations for Commanding General, 7 th Signal Command (Theater) 


Recommendation A-2 

(U) Army Chief Information Officer, in coordination with the Commander, 7th Signal 
Command (Theater), establish and implement procedures to identify who owns each 
SIPRNet circuit and the Component responsible for managing and securing each circuit. 


Command Comments 

(U) Concur with DoDIG finding, but not Recommendation A-2. DISA, Army CIO/G6 and 
ARCYBER/2A have visibility of ail Army circuits. 7 th SC(T) has visibility of circuits 
owned by the Network Enterprise Centers. 7 th SCf 


Renumbered as 
Recommendation A.2,a 
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otY^ncr 

Enclosure to 7 th SC(T) Reply Memorandum to the SIPRNet Access Point Audit 


Recommendation A-3 



, aiagnsi?nE 

<h>(7ME) 




m (7)(E) 
1(0(7)(E) 



a. (U) develop and implement procedures to verify that personnel and contractors 
requesting SIPRNet access complete initial and annual security related training and 
the North Atlantic Treaty Organization briefing as a condition for obtaining and 
maintaining access; and 

b. (U) implement a process to identify and retain training records for personnel to 
support the requirements for accessing the SIPRNet. 


Command Comments 

(U) Concur with DoDIG finding, but not Recommendation A-3. Address 
recommendations to ARCYBER or NETCOM, in coordination with the Theater Signal 
Commands, The 7 th SC(T) will confirm and enforce established procedures/processes 
in the CONUS Theater. 

a. (U) 7 th SC(T) has procedures for verification of required training and directs 
compliance for existing requirements for the sites and organtua t i n ^, 7 m SC(T) 
processes all requests for network access (DD2875) for thelillMilregardless of the 
network, through the 7 ^ SC(T) G2 Security office for validation of security clearance 
eligibility. The standing process at the Command level ensures completion of all 
security related training. This training includes annual Security Refresher Training, 
biennial Derivative Classification Training and NATO Awareness upon arrival and in¬ 
processing the unit. 

b. (U) 7 th SC(T) G2 Security retainsyftftjyds of completed security related training. 
The HHC Training element retains theHHHliltraining records. 7 th SC(T) directed the 
use of the Army Training and Certification Tracking System (ATCTS) for tracking 
required training for access to networks. 7 th SC(T) will ensure subordinate 
organizations comply with the existing requirement. 


Recommendation A-4 

(U) Commander, 7 th Sigr 


(H)(7)(E) 


eater), verify whether subordinate commands 


Command Comments 

(U) Concur with DoDIG Recommendation A-4. 7 th SC{T) issued an order requiring the 
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SECRE T 


Management Comments 


(U) 7th Signal Command (Theater) Comments (cont'd) 


Enclosure to 7 th SC(T) Reply Memorandum to the SIPRNet Access Point Audit 


Final Report 
Reference 


Recommendation A-6 


(U) 


(h) (7){E> 


p»(7KE> 


Command Comments 

(U) Concur with the DoDIG finding, but not Recommendation A-6. Address 
recommendations to ARCYBER/2A, in coordination with NETCOM and the Theater 
Signal Commands to establish and implement procedures Army-wide. 



Unsolicited 
Comments to 
Recommendations A,6, 
A.7, A. 9, A.10, 
and A.12 


Recommendation A-7 



cm 

d. (U) develop and Implement procedures to verify that access forms are properly 
completed before granting access to the SIPRNet. 


<b> (7)(E) 


Command Comments 

(U) Concur with DoDIG finding, but not Recommendation A-7. Address 
recommendations to ARCYBER/2A, in coordination with NETCOM and the Theater 
Signal Commands to establish and implement procedures Army-wide. 

a. and b. (S) 7 th SC(T) Regulation 25-2 contains the program framework for 
vulnerability management and associated procedures to correct and mitigate 
vulnerabilities; 

c. (U) See Recommendation A-6 Command Comments. 

d. ;(U) 7 ,h SC(T) G2 validates Security Clearance and Access eligibility as part of the 
access form completion. 


8 
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Management Comments 




■ ee-eftE ? 

Enclosure to 7 th SC(T) Reply Memorandum to the SIPRNet Access Point Audit 


Recommendation A-9 





as required by DoD guidance; 


kb) (7)(E) 


1(b) (7)(E> 


as required by DoD guidance, and 
as required by Army guidance; 


(b)(7)(E) 


e. (U) develop and implement procedures to verify that access forms are properly 
completed before granting access to the SIPRNet. 

Command Comments 

(U) Concur with DoDIG finding, but not Recommendation A-9. Address 
recommendations to ARCYBER/2A, in coordination with NETCOM to establish and 
implement procedures Army-wide. 


Recommendation A-10 

(^HHH^^^^^^Hl^HHHdevetop implement 
procedures to verify that access forms are properly completed before granting access to 
the SIPRNet. 

Command Comments 

(U) Concur with DoDIG Recommendation A-10. NOTE: 7 ,h SC(T) ACofS, G2 validates 
user Security Clearance and Access eligibility as part of the form completion. 


Recommendation A-12 


■(b)(7)(E) 


a. (U) 


s required by DoD guidance; 

bJU) 


as required by DoD guidance, and 
s required by Army guidance; and 

c. (U) develop and implement procedures to verify that access forms are properly 
completed before granting access to the SIPRNet. 
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Management Comments 


(U) 7th Signal Command (Theater) C 


Enclosure to 7 th SC(T) Reply Memorandum to the SI PR Net Access Point Audit 


Command Comments 

(U) Concur with DoDIG finding, but not Recommendation A-12. Combine 
recommendation with Recommendation A-9; and address to ARCYBER/2A, in 
coordination with NETCOM to establish and implement procedures Army-wide. 


Final Report 
Reference 


FINDINGS-B : DoDIG found. 



DoDIG recommendations for Commanding General, 7 ,h Signal Command (Theater) 
Recommendation B-1 


b. (U) develop ai 
their responsibilities 


1(b)(7)(E) 


derstand 


Command Comments 

(U) Noh-Concur with DoDIG recommended responsible agency. Address 
Recommendation B-1 to Department of Army (DA) G2, in coordination with ARCYBER/ 
2A and NETCOM to establish and implement procedures Army-wide. 


W O RCT 


Renumbered as 
Recommendations B.3.a 
and B.3.b and 
Recommendations B.4.a 
and B.4.b 

Unsolicited 
Comments to 
Recommendations B.l 
to B.7 
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Management Comments 


(U) 7th Signal Command (Theater) Comments (cont'd) 


QCQKCT 

Enclosure to 7 th SC(T) Reply Memorandum to the SIPRNet Access Point Audit 


b. (U) Current references include multiple DoD references within DISA Security 
Technical Implement ation Guides (STIGsT Awaiting anv DA G2 p roduced guidance, 
policy, or procedures! 


NOTE: (U) 7 th SC(T) G2 published a SIPRNet Training and Maintenance user guide; 
available via email, 7 th SC(T) SharePoint portal, or hard copy to all 7 th SC(T) units. 


Recommendation B-2 


mJy b )( 7 >< E 

) 






(b)(7)(E) 


pM7)(E) 




b. (U) develop and Implement a training Program to ensure personnel understand 


their responsibilities S 


Command Comments 

(U) Non-Concur with DoDIG recommended responsible agency. See Command 
Comments for Recommendation B-1. 


Recommendation B-3 


PUflU-tMlL) 

(b)(7)(E) 


Command Comments 

(U) Non-Concur with DoDIG recommended responsible agency. See Command 
Comments for Recommendation B-1. 


Recommendation B-4 


(b)(7)(E) 
(b)(7)(E) 


develop and 

ensure personnel understand their responsibilities 


Command Comments 

(U) Non-Concur with DoDIG recommended responsible agency. See Command 
Comments for Recommendation B-1. 


a 

gEeWET 


Final Report 
Reference 


Renumbered as 
Recommendations B.l.a 
and B.l.b 


Renumbered as 
Recommendation B.7 


Renumbered as 
Recommendation B.2 
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Management Comments 


(U) 7th Signal Command (Theater) Comments (eont'd) 


Enclosure to 7 th SC(T) Reply Memorandum to the SiPRNet Access Point Audit 


Final Report 
Reference 


Recommendation B-5 


Fb) (7){H) 


Command Comments 

(U) Non-Concur with DoDIG recommended responsible agency. See Command 
Comments for Recommendation B-t. 


Renumbered as 
Recommendation B.7 


Recommendation B-6 


Pi"' 1,11 

pb)(7KE> 


a. (U) 

1(b)(7)(E) 


required by Federal guidance; and 


<fc)(/>(t) 


|(b)(7)(E) 




Renumbered as 
Recommendations B.S.a 
and B.S.b 


Command Comments 

(U) Non-Concur with DoDiG recommended responsible agency, 
a. M Per CNSSI 7003. dated Seo 2015.1 



Recommendation B-7 


WJR'i'Hu u 

pb) <7)(E) 


Command Comments 

(U) Non-Concur with DoDiG recommended responsible agency. See Command 
Comments for Recommendation B-1. 


Renumbered as 
Recommendation B.6 


8 

OEemiT 
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Management Comments 


(U) 7th Signal Command (Theater) Comments (eont'd) 


Enclosure to 7 th SC(T) Reply Memorandum to the SI PR Net Access Point Audit 

Recommendation 6-8 


WJU'U/HD 

fb) (71(E) 


Command Comments 

(U) Non-Concur with DoDIG recommended responsible agency. See Command 
Comments for Recommendation B-6. 


Final Report 
Reference 


Renumbered as 
Recommendation B.4.c 
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■ SE CR ET 


Management Comments 


(U) Program Executive Officer Enterprise Information 
Systems Comments 



UNCLASSIFIED 

DEPARTMENT OF THE ARMY 

OFFICE OF THE PROGRAM EXECUTIVE OFFICER 
ENTERPRISE INFORMATION SYSTEMS 
jPEO EIS) 

9350 HALL ROAD 

FORT BELVOIR, VIRGINIA 22060-5526 


SFAE- PS 


24 June 2018 


MEMORANDUM FOR RECORD 


SUBJECT: Project Lead Acquisition, Logistics, Technology, Enterprise. Systems Services (PL 
ALTESS) Plan of Action 


lib) (6). (b)(7)(E) 


UNCLASSIFIED 
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Management Comments 
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Management Comments 
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Management Comments 



Final Report 
Reference 


Renumbered as 
Recommendations B.l.a 
and B.l.b 
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(b)(7)(E) 


(b)(7)(E) 
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Management Comments 


(U) Army Chief Information Officer Comments 


Final Report 
Reference 



DEPARTMENT OF THE ARMY 
OFFICE OF THE SECRETARY OF THE ARMY 
107 ARMY PENTAGON 
WASHINGTON DC 20310-0107 



DUM FO 


Department of Defense fDoD) Inspector General 




Center Drive, Alexandria, Virginia 22350-1500 


(IG), ATTN: 
4800 Mark 


SUBJECT: (U/ yroUO) CIO/G-6 Comments to DoDIG Draft Report: “(U)Army 
Commands Need to Improve Logical and Physical Security Safeguards that protect 
SIPRNet Access Points (Project No. D2O15-D0O0RC-0241.000) dated 24 May 2016 


1. (U) HQDA CIO/G-6 appreciates the opportunity to review the draft report on the audit 
of logical and physical security safeguards that protect the SIPRNet access points and 
concurs with the findings and recommendations with comments. 


2 . (U) ReCOmm*nrlaHnn Ala 
procedures to 


mir#»R niO/rt-fi tn rlpi/fafnn and Imnlfimsnt nnllrJas anil 



3, (U/ r0U0) Recommendation A.1 .b. requires CIO/G-6 to review the deficiencies 
identified in the report, require a thorough review of the Army SECRET internet Protocol 
Router Network security safeguards performed at each command within the Army, and 
apply corrective actions as necessary. CIO/G-6 will review the issues, Identify policy 
gaps, and issue memoranda to resolve the issues. Additionally, CIO/G-6 w ill coordinate 
with ARCYBER/2 n(} Army to identify and implement corrective actions within] 
from the date of the final report. 


4. (U /iTOUO ) Recommendation A.2. requires CIO/G-6 to coordinate with the 
P.nmmflnrtflr 7th Sinnal Gnmmnnd /ThaatarV establish and implement nronedures to 




5. (U) The point of contact for this action is 



[b)<6) 


Renumbered as 
Recommendation A.l 


Renumbered as 
Recommendation A.2.b 


Renumbered as 
Recommendation A.2.a 


Acting U.S. Army Cybersecurity Director 
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Management Comments 
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Management Comments 



Final Report 
Reference 


Renumbered as 
Recommendation B.2 
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Management Comments 









Management Comments 







SE C R E T 


Management Comments 


(U) US Army Installation Management 



Final Report 
Reference 


Renumbered as 
Recommendations B.3,a, 
B,3.b, B.4.a and B.4.b 


Renumbered as 
Recommendation B.7 
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Management Comments 




DEPARTMENT OF THE ARMY 

U.S. ARMY CYBER COMMAND AND SECOND ARMY 
8825 BEULAH STREET 
FORT BELVOIR, VIRGINIA 22060-5246 


Final Report 
Reference 


ARCC-IR 


27 June 2016 


MEMORANDUM FOR Departmen t of Defe 


SUBJECT: (UflF OUO) Command Comments to DoDIG Draft Report: “(U) Army 
Commahds Need to Improve Logical and Physical Security Safeguards That Protect 
SIPRNet Access Points (Project No. D2015-D000RC-0241.000) dated 24 May 2016 (S) 

1. (U) U.S. Army Cyber Command (ARCYBER) and Second Army (2A) reviewed the 
subject draft report and your recommendations. Although no recommendations were 
directed to the Commander, ARCYBER & 2A, recommendations were directed to our 
subordinates, the US Army Network Ent erprise Technology Command rNFTn oiVh 7th 
Signal Command (Theater) (7th 

several Network Enterprise Centers (NEus;. in our roie as mgner headquarters for the 
aforementioned organizations, we view your findings within our purview to evaluate, 
respond to, and assist in the execution of corrective actions. 

2. (U) We concur with comments. 

3. (U) Recommendation A.lb. is directed to the Army Chief Information Officer 
(CIO/G6) but states in part "require a thorough review of the Army SECRET internet 
Protocol, Router Network security safeguards performed at each command within the 
Army, and apply corrective actions a s necessary.” The An 


Renumbered as 
Recommendation A.2.b 


1(H)(5). (H)(7)(E) 


iiuTW 


ARCYBER. 


? Den ujiiuuis wun mis recommendation ana in conjunction with 
Information Officer (CIO/G6) will implement the recommendation within iilUSHron 
the date of the final report. 

4. (U) Recommendation A.2. recommends "that the Army Chief Information Officer 
coordination with the Commande 




Renumbered as 
Recommendation A.2.a 


Report No. DOD1G-2016-H9 | 84 












Management Comments 


UNCLASS 


Final Report 
Reference 


UNCLASsriEP/ ron orriouL use onlv 

ARCC-IR 

SUBJECT: Command Comments to DoDIG Draft Report: “(U) Army 

Commands Need to Improve Logical and Physical Security Safeguards That Protect 
SIPRNet Access Points (Project No. D2015-DOOORC-0241.000) dated 24 May 2016 (S) 


recommendation and In conjunction with tl 
will implement the recommendation within 


HHIBaRCYBER concurs with this 
heArm^Jhief Information Officer (CIO/G6) 
i wHjHfrom the date of the final report. 


5. (U) R 


zT h *1 n t«■TJTT* Bi iriiTVlvCfl liWfl vfJSm 
< |( b)(5),(b)(7)(E) 


MKUYBtK & za concurs with this 


recommendation and will take such actions as may be necessawJimnsure that all 
subordinate elements implement the recommendation within m^^from date of 
the final report, 

6, (U //TQUQ ) Recommendations A.3,a, A.3.b, A.6, A.9.a, A.9.b, A.9.C, A.9.d, A.9.e, 
A.10, A.12.a, A.12.b, A.12.C, B.I.a, B.l.b, B.3, B.4, B.5, B,6.a, B.6.b, B.7, and B.8 were 
directed to individual NEC Directors. 


1(b) (5), (b) (7)(E) 


The Commander, 7th SC(T) is In a much better position to 
standardize practices and direct the correction of deficiencies. 


c. (U/ /TQU® 1 ) ARCYBER & 2A concurs with these findings and recommendations; 
however, disagrees with the recommendation’s addressee. ARCYBER & 2A will take 
such actions as may be nece s s a ry to ens ure that all subordinate elements implement 
the recommendations withir^^HHfrom the date of the final report. 

d. (U flTOUO ) Where the recommendations are for Army installation Management 
Command elements (e.g. Garrison Commanders) to “coordinate" with a NEC, we 
concur with the recommendation as stated and will take such actions as may be 
nece ssary to en sure that all subordinate elements implement the recommendations 
within jiflE^Bi from the date of the final report. 

^j j j/ jj gBpg -g ^ ctfnmendation A.7 is directed to 

ARCYBER & 2A concurs with this recommendation and will take 
such actions as may be nec ess ary to ensure that all subordinate elements implement 
the recommendation withinMffllii from the date of the final report. 


Recommendations B.I.a 
and B.l.b renumbered 
as Recommendations 
B.3.a, B.3.b, B.4.a, 
and B.4.b; 

Recommendation B.3 as 
Recommendation B.7; 

Recommendation B.4 as 
Recommendation B.2; 

Recommendation B.5 as 
Recommendation B.7; 

Recommendations B.6.a 
and B.6.b as 

Recommendations B.5.a 
and B.5.b; 

Recommendation B.7 as 
Recommendation B.6; 
and 

Recommendation B.8 as 
Recommendation B.4.c 
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Management Comments 



10. (U//FOUG) ARCYBER & 2A concurs with the remainder of the report without 
comment and will ensure corrective actions are directed to the appropriate activities for 
implementation. 


11. (U) If you have any questions 
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UNCLASSIFIED 




REPLY TO 
ATTBJTtON OF 


DEPARTMENT OF THE ARMY 
ARMY SPECTRUM MANAGEMOYT OFFICE 
8916 COOPER AVE.. OPERATIONS BUILDING 
FORT MEADE, MD 20785-7901 


SAIS-AOS 

MEMORANDUM FOR DoD Office of Inspector General (OIG) 

SUBJECT: FUNDING SUPPORT FOR DoD AFC AZ SIPRNct MODIFICATION 


6 June 2016 


as identified in your DoD OIG draft report entitled "Army 
Commands Need to Improve Logical and Physical Security Safeguards That Protect SIPRNet 
Access Points" as requiring modification of the SIPRNet Protective Distribution System (PDS). 


4, T would request that the negative finding in the OIG draft report include a statement that the s 
plan is in place to correct the deficiency. 


HQDA CJU/U-6 


Army Spectrum Management Office 


UNCLASSIFIED 
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Glossary 


(U) Glossary 


(U] Active Directory. A special purpose database that is designed to handle a large 
number of read and search operations. The database is used by network users and 
administrators to store data. 

(U) Authorization to Operate. Authorization granted by a designated accrediting 
authority for a DoD information system to process, store, or transmit information; an 
Authorization to Operate indicates a DoD information system has adequately 
implemented all assigned IA controls to the point where residual risk is acceptable to 
the designated accrediting authority. ATOs may be issued for up to 3 years. 

(U) Boundary Protection. Monitoring and controlling communications at the external 
boundary of an information system to prevent and detect malicious and other 
unauthorized communications. 

(U) Category I. Assigned to findings that allow primary security protections to be 
bypassed, allowing immediate access by unauthorized personnel or unauthorized 
assumptions of super-user privileges. 

(U) DoD Components. Combatant commands, Military Services, DoD agencies, and 
field activities. 

(U) Enclave. A set of system resources that operate in the same security domain and 
that share the protection of a single, common, continuous security perimeter. 

(U) Firewalls. Hardware and software that limits access between networks or systems 
(or both) in accordance with a specific security policy. 

(U) Logical Safeguards. System-based mechanisms such as firewalls, permission 
settings, usernames and passwords, and SIPRNet tokens that are used to designate who 
or what has access to a specific system or function. 

(U) Information Assurance. Measures that protect and defend information and 
information systems by ensuring their availability, integrity, authentication, 
confidentiality, and nonrepudiation. These measures include providing for restoration 
of information systems by incorporating protection, detection, and reaction capabilities. 
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Glossary 


(U) Internet Protocol Address. An identifier assigned to equipment connected to 
the network. 

(U) Media Access Control Address. Common device identifier, for example, a unique 
identifier that is inherent to a computer, printer, or other network device. 

(U) Physical Safeguards. Locks, guards, and security containers used to deter or delay 
an adversary's access to the network. 

(U] Plan of Action and Milestones. A permanent record that identifies tasks to be 
accomplished to resolve vulnerabilities and is required for any accreditation decision 
that requires corrective actions. A Plan of Action and Milestones specifies resources 
required to accomplish the tasks enumerated in the plan and milestones for completing 
the tasks; it is also used to document designated accrediting authority accepted 
noncompliant IA controls and baseline IA controls that are not applicable. 

(U) Port Security. A security practice in which network ports are locked electronically 
so they can be used only by approved devices. 

(U) Protected Distribution System. A system used to transmit encrypted classified 
National Security Information through an area of lesser classification or control. 
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Acronyms and Abbreviations 


(U) Acronyms and Abbreviations 



7th SC(T) 7th Signal Command (Theater) 


(b)(7)(E) 


CAT Category 

DIACAP DoD Information Assurance Certification and Accreditation Program 

IA Information Assurance 
NATO North Atlantic Treaty Organization 
NEC Network Enterprise Center 
PDS Protected Distribution System 
RMF Risk Management Framework 
SIPRNet SECRET Internet Protocol Router Network 


TACLANE Tactical Local Area Network Encryption 
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Annex 



Source 1: (Document classified SECRET) 

Declassify On: 20260129 

Date of Source: January 29, 2016 
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Whistleblower Protection 

U.S. Department of Defense 

The Whistleblower Protection Ombudsman's role is to 
educate agency employees about prohibitions on retaliation 
and employees' rights and remedies available for reprisal. 
The DoD Hotline Director is the designated ombudsman. 
For more information, please visit the Whistleblower 
webpage at www.dodig.mil/programs/whistleblower. 


For more information about DoD 1G 
reports or activities, please contact us: 

Congressional Liaison 

congressional@dodig.mil; 703.604.8324 

Media Contact 

public.affairs@dodig.mil; 703.604.8324 

For Report Notifications 

http://www.dodig.mil/pubs/email_update.cfm 

Twitter 

twitter.com/DoD_IG 

DoD Hotline 

dodig.mil/hotline 
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